Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Except the majority of phones on this planet are not iPhones. And let’s not forget that some people still like to, you know, log into websites on an actual computer.

At least the article states that apple is working to find a way to do this with all systems.
The underlying technology is already available on Windows, Android and Apple platforms and integrated into all the modern browsers. Apple is trying to standardize the extension of that platform where they say that a synchronized account (like iCloud) is the source of the authentication, rather than a specific phone or laptop.

High security environments likely care and expect the current behavior. For instance, my employer might want to know that I'm only able to log in through my work laptop and not my personal phone.
 
The reality is that 1P has been adding more features for IT/enterprise needs for a while, while living off that recurring individual/family subscription revenue. So I suspect they will double-down on business needs if consumer revenue starts to dwindle.

The problem with 1P and other password managers here is that while Apple is willing to add support for their password vaults to have the same integration options as Apple's built-in vault, these modern passwordless schemes are an entirely separate animal. Passwords are user managed and thus sites have to work around user error (like using the same password everywhere) by having password heuristics, requesting additional factors, risk monitoring systems, breach lists, etc.

These systems are being sold as a way to simplify and strengthen authentication and eliminate the need for all that extra infrastructure. In addition to public/private key cryptography, there are attestations that say information about the implementation. Apple's implementation will be integrated into the secure enclave of a battle-hardened device. 1Password's implementation fundamentally would not have the same security guarantees because it is ultimately a pure software implementation using cloud synchronized vaults.

So while many sites would not care about the limitations of 1P, the sites which most need security (employers, banks, government, etc.) would reject the use of 1P's implementation. After all - your iPhone, mac, windows desktop, android, etc all have hardware-based implementations already integrated, and those _did_ pass the security review.

Can you confirm this? According to the video, the private keys are being store in Keychain not in the secure enclave. iCloud keychain is synchronized via the cloud as well. Unless you saw something differnt in the video, the secure enclave is not directly involved.
 
  • Like
Reactions: KaliYoni
Great development from Apple here. I hate having multiple passwords in general and I still write them down old school style.

What I don't understand is why when Apple develops something everyone thinks they should make it available for everyone on different platforms? Apple seems to be the only company that is asked to do for everyone including themselves. No one ask Mcdonalds to give out their Big Mac sauce to the entire fast food chain.
 
Great development from Apple here. I hate having multiple passwords in general and I still write them down old school style.
Please, look at least at using Keychain passwords. Even a basic password manager is better than nothing.
What I don't understand is why when Apple develops something everyone thinks they should make it available for everyone on different platforms? Apple seems to be the only company that is asked to do for everyone including themselves. No one ask Mcdonalds to give out their Big Mac sauce to the entire fast food chain.
Because more than 50% of the mobile market and 80% of the computer world does not run on Apple? Most service providers (like web sites, that would need implement on the server side.) aren't going to spend time and money to implement a solution that only works with minority of devices.

Fortunately, Apple is not inventing anything new here, despite what MR posters believe. The WebAuthn implementation already exists and can be used today. What Apple is doing here is coming up with a way to keep your private keys secured on your device (instead of on a separate piece of hardware.) From the server side, nothing has changed.

There is nothing I see that would prevent Microsoft or Google from offering a similar solution on their ecosystems. (They may even have or be working on similar already, I haven't looked.) In fact, I don't see why 3rd party vendors couldn't offer a similar solution on macOS/iOS.
 
  • Like
Reactions: KaliYoni
Yes, it's different. It's like how SSH keys are handled. Your actual key is never sent to the remote site, so even if that site is somehow compromised, they won't get your key.

The "paint" analogy is my favorite:
You are likely right - but a zero knowledge proof can also be done with conventional passwords
 
Bring out a cross platform Keychain and I can see me using this. I use both Mac and Windows machines throughout the day, and having no access to the passwords in Keychain would be a headache. Maybe in Apple's minds that would have me switch everything to Apple, but back in the real world it would just piss me off and be less likely to use Apple's offering.
 
Bring out a cross platform Keychain and I can see me using this. I use both Mac and Windows machines throughout the day, and having no access to the passwords in Keychain would be a headache. Maybe in Apple's minds that would have me switch everything to Apple, but back in the real world it would just piss me off and be less likely to use Apple's offering.
That already exists. Apple created a Chrome extension to use iCloud Keychain.
 
That already exists. Apple created a Chrome extension to use iCloud Keychain.
The reviews are somewhat interesting. From it plain not working, to it overriding the chrome password manager with no ability to create passwords, to having to use 2FA on every page, it certainly doesn't look like something you should install if you want a stress free experience.
 
I hope they add Touch ID in the Power Button to more iPads and the iPhone. I’d be glad to use Touch ID in lieu of passwords.
If that Touch ID Power Button doesn't show up on iPhones...a lot of people are going to be disappointed. Come on, Apple. "Leverage" that tech it no doubt costed millions to R&D and put it into more than just one of your products (iPad Air 4).
 
The issue isn’t that Touch ID and Face ID aren’t secure, it’s that Apple is trying to protect you from government overreach. This is very much a benefit, not a flaw.
I thought it was just that they didn't want you to forget your passcode.
 
They are there to keep you safe. For example, if you are kidnapped and you are forced to look at the screen to open it. You can hold two buttons down as you take your phone out of your pocket and it will lock Facetime out and require a passkey that you type.

If you are kidnapped, pretty sure they can force you to type the passcode.
 
I thought it was just that they didn't want you to forget your passcode.
I mean there’s that too I guess but it’s definitely not the main factor. After all, it’s impossible to forget your fingerprint or face so if they could rely on that entirely, then you wouldn’t need to remember your passcode.
 
sounds quite interesting, good move
IF apps use it.

So many apps do such a terrible job of using even the existing Apple biometrics -- and are utterly convinced that they know more about security than Apple does.
In the Hall of Fame we have an app like 1Password that allows you to use biometrics -- always! and it always works.

In the Hall of Shame we have so many other apps. Of course there are the vast majority that don't even bother with biometrics (think your average banking app or your average iot app).
But then we get the incompetents like Tesla (in theory you can set biometrics, but in practice for about two years every time the app updated, it wiped that setting and you had to log in via password till you could re-set it).
Or we get the idiot companies that kinda understand that logging in every time is a pain (and the damn iPhone is already protected better than anything you can do) but think it's important "for security" to ask for your password once a month -- yes, Orbi, I'm looking at you.
Or the truly lowest of the low, like iSmartGate, that insist on logging in (and doing this SLOWLY) EVERY FSCKING TIME you bring the app to foreground. Just wanted to check out something else in a different app -- oops, time to waste another 30 seconds logging in again.

So yeah, I applaud Apple's attempts to improve this. But how about they use that App Store muscle they're supposed to have to refuse to allow apps that don't use Apple biometrics, and use them sensibly?
 
If you are kidnapped, pretty sure they can force you to type the passcode.
Security
 
  • Like
Reactions: mainemini
A Nigerian Prince already showed me a simple way to implement this. All I had to do was share my bank account with him. Now I'm all set!
 
The reviews are somewhat interesting. From it plain not working, to it overriding the chrome password manager with no ability to create passwords, to having to use 2FA on every page, it certainly doesn't look like something you should install if you want a stress free experience.
It’s brand new. None of this stuff is finished yet.
 
Can you confirm this? According to the video, the private keys are being store in Keychain not in the secure enclave. iCloud keychain is synchronized via the cloud as well. Unless you saw something differnt in the video, the secure enclave is not directly involved.
*grin* I was wondering if someone ask me to clarify my ambiguity. Buckle up!

Today, Safari already has support for these API, but its implementation is limited to the local secure enclave. The passkey system makes it so that any device on an account can get those keys from their respective secure enclaves.

I don't even know if Apple knows if they support both going forward or migration of existing Safari WebAuthn registrations for sites to the new system - there was definitely an expectation that Apple would not change the security properties underneath those websites.

In terms of the underlying technology and what this change means in terms of keychain vs local secure enclave storage, and why thats a bit nuanced:

It helps to understand that many secure enclave type systems do not have their own storage, so there is security data stored outside the secure enclave - it is just in a format that is worthless to others. You typically see this done by having creation and use of a key split:
  1. Your application gives policy on the properties you want your key to have.
  2. The secure enclave generates seed data and hands you back a secured message that may have some policy information and that seed data embedded in it.
  3. Whenever you supply that message, the secure enclave regenerates the same key, and recognizes/applies any policy elements it needs to pay attention to.
I'm fairly certain Apple uses this technique, and WebAuthn is designed around supporting this idea.

There are systems which do allow you to import a key directly from a file, but it is uncommon - it generally this means that the security of the key is 'tainted' already at start. Instead, secure enclaves typically have some sort of negotiation of a shared key in between them where the data is never available unencrypted, and have some sort of policy control (again, some sort of key) used to enable this negotiation.

I have not looked at how they handle this in iCloud Keychain these days, but I _suspect_ they have a mix of standard and custom protocols to do this, and hard-coded policy to only allow negotiation with Apple secure enclaves. The user-visible part of this protocol is seen when you turn on iCloud Keychain syncing or pair a new iCloud account and it starts asking for the passwords you have on other Apple devices. The passwords are used to generate cryptography keys locally, same as the passcode you enter when you reboot your device. So it isn't possible for Apple or any other party to negotiate this import without knowing the passwords or your recovery key.

These are the sorts of systems where someone like Apple wants protection from the _liability_ of potentially getting access to all your passwords - you can't be hacked for information you don't have ;-)

Anyway:

This appears to be a new policy mode for the secure enclave that they have not yet documented (likely an expansion on kSecAttrSynchronizable) - AFAIK the current shipping operating systems can only synchronize passwords via iCloud using this system, not keys.

The behavior here is that icloud synchronizes a bunch of protected input data and policy that is meaningless outside of a secure enclave which hasn't gone through the prior negotiation - but if they have, they now all have enough information to derive the same private key and policy.

So when you go to a website, the system supplies this bundle of protected data and a bit of extra information. The secure enclave may have a policy it enforces (you need to let me go through FaceID), and then it derives the same key pair it has used previously - even if that has only ever been done on another device.
 
  • Like
Reactions: mainemini
The reality is halfway in-between. Someone operating legally may not be able to use evidence they gather under duress - and use of biometrics and passcodes have different rights in some jurisdictions.

Likewise, if you are mugged the _process_ of say unpairing your iphone from Find My or reentering a PIN may take enough time that they will be discouraged.

But if someone can grab you and keep you under duress in private for a period of time, yeah, you likely will give them the information they want if you are capable of doing so. In some cases (say money transfers) there may be phone calls and the like requested to again make the process risky for the 'bad guys'. This might include a 'duress' password which hides that it releases minimal access, and potentially indicates to the 'good guys' what is going on.

I will likely never be in such an action-movie-style scenario though :cool: 🤓
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.